I been asked to block all internal users from accessing internet if they are not authenticated by active directory. Could you please assist me on doing that ASAP? we have active directory and cisco ASA firewall

It's been a while since I touched anything Cisco but I can't remember that functionality ever being in the PIX. What you should look at is implementing a Web Proxy using something like ISA server. This will allow you specify who can access the web and under what restrictions you place e.g. authentication status, time of day etc.

It depends whether which port they are using. I recall that products like MSN Messenger use HTTP to transmit and receive chat data making it hard to block because you don't want block port 80 and stop normal web browsing.

I suggest using a most restrictive firewall policy. The last ACL should be an explicit deny all and the preceding ACLs should be something like:

Allow 443 from internal-pcs to external
Allow 80 from internal-pcs to external
Deny all from any to any

You can specifically deny these ports if you wish however it is more effective to use the explicit deny. If you are just getting to grips with ACLs then its worth implementing them and testing them yourself. For example blocking the ports to all computers except your own. Remember that ACLs are read in order so:

Streaming can be blocked, again using the explicit deny and explicitly allowing only the ports that's you need will do. If you want to get into specifically blocking the streaming then you will need to block certain UDP ports.

The reason I recommend only allowing what you need and blocking everything else with one big DENY statement at the end is that is very easy to understand. Also, it means that if anyone starts using a new product which uses a different port then you don't have to change your firewall rule in the future because you block it already.

and object-group web has (http, https, dns), is that what allows inside to connect to internet? because i think it services to connect to should be at the end of acl, am i right ? i mean it should be like this:

ISA/Squid and most any web proxy software that can be configured for LDAP access can be configured to deny access to un-authenticated users. I web proxy would also allow you to block those sites that offer IM over the web, such as meebo.